On 31Jan24 09:01-0800, Quanah Gibson-Mount wrote: > > Note that contrib modules are explicitly not maintained by the Project. > > You'll need to find someone in the community to fix these issues for you. > > I'd also wonder why you're not using the official OTP overlay: > > <https://www.openldap.org/software/man.cgi?query=slapo-otp&apropos=0&sektion=0&manpath=OpenLDAP+2.6-Release&arch=default&format=html> > > which is maintained by the project.
The reason was, that we use it as a TOTP-only solution.
I had a testsetup with slapo-otp as well, but this module required
userPassword + TOTP, IIRC; where we cannot not have userPassword.
Our setup is to use TOTP as 2FA for ssh logins against the centralized
LDAP infrstructure. The ssh-login 1FA is ssh pubkey (also in LDAP) and
2FA is TOTP. To achieve this we use a PAM module which does an ldapbind
against the user-DN which has the userPassword schema '{TOTP1}'.
Maybe I wrong or outdated here and slapo-opt also supports TOTP-only
authentication now?
Cheers,
--
Bastian Tweddell Juelich Supercomputing Centre
phone: +49 (2461) 61-6586 High Performance Systems
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
